How can global enterprises solve the “regional problem” when moving to the cloud?
Global enterprises face unique challenges when moving to the cloud as part of their digital transformation initiatives. Setting aside any internal hesitations related to a change of this magnitude, they also need to contend with issues such as:
- Regional cultural biases against cloud-based services
- Different data residency and data sovereignty regulations across jurisdictions
I called Ahmad Dash, OneSpan’s Senior Director of Cloud Operations, to examine these issues in detail.
Drivers for change
First, it’s helpful to understand the context for such digital transformations, says Dash. In his view, client expectations are playing a significant role as more and more digital experiences and transactions come online.
“The qualities of a bank’s service offerings are not necessarily being influenced by competitor banks. In reality, the pressure is being exerted by the Ubers and the Lyfts of the world, simply because the experience you get from their apps revolves around ease of use. In a few clicks you can plan a trip, determine the costs, get information about who you're dealing with, rate the experience, change the credit card you're paying with … For banking customers, the expectations are now much the same.”
Pressures like these are precisely what shunted a huge chunk of business transactions online during and following pandemic lockdowns. What’s changed since then is that the value of these transactions is trending steadily higher, from consumer and business lending, to mortgages, auto finance, and leasing. Absolute value is no longer an impediment to online engagement — it simply doesn’t matter to customers in the “anywhere economy.”
But it does matter to hackers. Hackers very much care about value. That’s why they’re deploying increasingly sophisticated, increasingly well-funded tools to crack high-value digital transactions. The point is, threats are evolving and accelerating, which means that time is of the essence, especially when it comes to rolling out security updates to your critical and customer-facing business processes.
In a context such as this, it makes sense to delegate the responsibility for securing the end-to-end lifecycle of your digital transactions to a cloud service provider that can handle monitoring and updates on their end, while you focus on your core competencies. “This is vastly preferable to focusing on infrastructure and patching and building out data centers,” says Dash, “when what you really want to be focusing on is driving client experience.”
Does that mean the cloud is the ideal destination for everything? No. We’ll get into specific terms to understand the nuances.
Cloud term definitions and general principles
“On-premise” means exactly what it sounds like, says Dash. “it's your own infrastructure hosted in your own facilities. You're responsible for everything from electricity to connectivity. If someone decides to back a car into a post that contains the only fiber-optic cable that's connecting that facility to the internet... well, it could take down everything you have on-prem, for as long as it takes for someone to come out and put that piece of fiber-optic cable together.”
That caveat aside, Dash acknowledges that it can be useful for some companies to run in an on-premise environment for compliance reasons or for purely philosophical considerations around security for certain workloads.
The term "public cloud” can be misleading for some, says Dash. Although the public cloud is hosted in the public Internet, that does not mean it's publicly accessible by anyone. It’s simply a reference to infrastructure hosted by a cloud service provider.
Cloud services can also be hosted by yourself, either in a public cloud and locked off, or zoned in a certain way, so that it's only accessible by specific individuals and entities.
Some organizations run a mix of infrastructure in the public cloud and some on-premise or in a private cloud. This offers the benefits of a public cloud, while maintaining some level of control that they may feel the need for in a local facility.
The usage of any of these really depends on the services that you're trying to offer, as well as the types of service-level agreements that you're offering to your clients.
Regional considerations, part 1: trust (and verification)
In some cases, global enterprises may encounter cultural reluctance to embark on a cloud-based initiative.
“Giving responsibility to someone else is always difficult,” says Dash. “For instance, I’ll give my daughter access to the car and allow her to drive me to the subway, just so that I can take the subway to work. There’s almost a leap of faith there, for me to give her the car keys and say, yeah, I'm trusting you to get the car back home. It's that level of trust.”
The payoff for that trust is the offloading of a substantial number of tasks, he explains: “driving to the train station, trying to find a parking spot, paying for parking, having a parking pass, leaving my car there for the whole day, coming in in the evening, having to clean the snow off of it, all of those sorts of things ... As opposed to having my car home and secure during the day.”
Organizations, just as with people, need to understand what is being handed over, says Dash. “That’s why it’s key for them to validate that their potential providers have a breadth and depth of experience running cloud solutions, providing it to multiple customers, but also having compliance expertise, SOC 2 certifications, those kinds of things — those are the things that allow you to then feel more comfortable with adopting a cloud service.”
It’s by no means required to take an all-or-nothing approach to cloud service adoption,” he adds. "Some of our customers will on-board a small percentage of their transactions in the cloud, and when those things start to run really smoothly and efficiently, they start to go, well, why don't we have all of the transactions happening in the cloud.”
Regional considerations, part 2: data residency and sovereignty
Organizations with a global footprint need to factor in regulations from different regions, including compliance requirements, data regimes, and data sovereignty issues, which are all critical to the fundamental practices within those organizations. That’s why it’s important for them to work with cloud solution vendors that provide certain compliance guarantees — and that build those guarantees into their customer service DNA, says Dash.
"Customers should absolutely validate that the companies they're dealing with can fit the requirements that they have, whether for compliance or operations, data sovereignty, privacy regimes, or any other regulations, and ensure that those prerequisites are in place.”
Data sovereignty is a key issue to consider when transitioning to a cloud model, and requirements will vary based on the regulatory disposition of the enterprise, their risk acceptance, and the type of data that is involved. Again, says Dash, “it is important to select solutions that account for all of your requirements and that are certified for compliance.”
“We have clients in specific zones where transactions must comply with certain government regulations for the government cloud that they're in,” Dash says. “Those are criteria that we build directly into our product offering. That might mean that the government zone for our product is actually hosted in a different area of the cloud, and segregated from everything else in a way that doesn't allow anything else to be in that cloud.”
“The same goes for our clients in any other industry or vertical or geography. For instance, if a client requires for GDPR purposes that a transaction and its history and its data all reside within a specific region, our solution is engineered and built specifically to ensure that nothing leaves those bounds."
Ultimately, says Dash, you should demand and validate this regional expertise from your cloud service provider, particularly for complex use cases where there may be different compliance regulations between two regions. “That is their core value-add, and the point is that this frees you to focus on yours.”